My Website was hacked using Statcounter! Does Statcounter keep a record of cookies?

Posted by Cyril Gupta on Stack Overflow See other posts from Stack Overflow or by Cyril Gupta
Published on 2010-03-20T10:06:04Z Indexed on 2010/03/20 10:11 UTC
Read the original article Hit count: 392

I had a rather interesting case of hacking on my ASP.Net MVC website. For this website I had implemented a rather uncomplicated authentication system for my admin area -- an encrypted cookie which had an identifying signature for the member. Whenever the admin visits the website the cookie would be decrypted and signature verified. If matching he wouldn't have to sign in.

Couple of days ago a visitor on my site told me that he was able to sign into my website simply by clicking no a referral link on his Statcounter console which pointed to my admin area (I had visited his site from a link inside my admin view).

He just clicked on a link in statcounter and he was signed in as the admin!

The only way this could have happened was if statcounter somehow recorded my cookies and used those when he clicked on the link pointing to my admin!

Is that logical or fathomable?

I don't understand what's going on. Do you have any suggestions as to how I can protect my website against things like this?

© Stack Overflow or respective owner

Related posts about hacking

Related posts about asp.net-mvc